rockbox/utils/hwpatcher/fuzep_rb.lua

--[[
Fuze+ RB hacking
required argument (in order):
- path to firmware
- path to output firmware
- path to blob
]]-- 

if #arg < 3 then
    error("not enough argument to fuzep patcher")
end

local fw = hwp.load_file(arg[1])
local irq_addr_pool = hwp.make_addr(0x38)
local proxy_addr = arm.to_arm(hwp.make_addr(0x60115ba4))
-- read old IRQ address pool
local old_irq_addr = hwp.make_addr(hwp.read32(fw, irq_addr_pool))
print(string.format("Old IRQ address: %s", old_irq_addr))
-- modify it
hwp.write32(fw, irq_addr_pool, proxy_addr.addr)
print(string.format("New IRQ address: %s", proxy_addr))
-- in proxy, save registers
arm.write_save_regs(fw, proxy_addr)
proxy_addr = hwp.inc_addr(proxy_addr, 4)
-- do some work
local blob = hwp.load_bin_file(arg[3])
local blob_info = hwp.section_info(blob, "")
local blob_data = hwp.read(blob, hwp.make_addr(blob_info.addr, ""), blob_info.size)
hwp.write(fw, proxy_addr, blob_data)
proxy_addr = hwp.inc_addr(proxy_addr, blob_info.size)
-- restore registers
arm.write_restore_regs(fw, proxy_addr)
proxy_addr = hwp.inc_addr(proxy_addr, 4)
-- branch to old code
local branch_to_old = arm.make_branch(old_irq_addr, false)
arm.write_branch(fw, proxy_addr, branch_to_old)
-- save
hwp.save_file(fw, arg[2])
Introduce hwpatcher, a tool to patch binaries This tool is a scriptable (lua) tool to patch binaries, it supports: - raw binary - ELF - SB(v1/v2) It also contains some basic routines to parse and generate useful arm/thumb code like jump or register load/store. This is very useful to take a firmware and patch an interrupt vector or some code to jump to an extra payload added to the binary. Examples are provided for several STMP based target which the payload is expected to be hwstub, and also for the Sansa View. A typical patcher usually requires three elements: - the lua patcher itself - the payload (hwstub for example) - (optional) a small stub either to jump properly to the payload or determine under which circumstance to do the jump (hold a key for example) Change-Id: I6d36020a3bc9e636615ac8221b7591ade5f251e3 2014-06-24 16:04:17 +00:00			`--[[`
			`Fuze+ RB hacking`
			`required argument (in order):`
			`- path to firmware`
			`- path to output firmware`
			`- path to blob`
			`]]--`

			`if #arg < 3 then`
			`error("not enough argument to fuzep patcher")`
			`end`

			`local fw = hwp.load_file(arg[1])`
			`local irq_addr_pool = hwp.make_addr(0x38)`
			`local proxy_addr = arm.to_arm(hwp.make_addr(0x60115ba4))`
			`-- read old IRQ address pool`
			`local old_irq_addr = hwp.make_addr(hwp.read32(fw, irq_addr_pool))`
			`print(string.format("Old IRQ address: %s", old_irq_addr))`
			`-- modify it`
			`hwp.write32(fw, irq_addr_pool, proxy_addr.addr)`
			`print(string.format("New IRQ address: %s", proxy_addr))`
			`-- in proxy, save registers`
			`arm.write_save_regs(fw, proxy_addr)`
			`proxy_addr = hwp.inc_addr(proxy_addr, 4)`
			`-- do some work`
			`local blob = hwp.load_bin_file(arg[3])`
			`local blob_info = hwp.section_info(blob, "")`
			`local blob_data = hwp.read(blob, hwp.make_addr(blob_info.addr, ""), blob_info.size)`
			`hwp.write(fw, proxy_addr, blob_data)`
			`proxy_addr = hwp.inc_addr(proxy_addr, blob_info.size)`
			`-- restore registers`
			`arm.write_restore_regs(fw, proxy_addr)`
			`proxy_addr = hwp.inc_addr(proxy_addr, 4)`
			`-- branch to old code`
			`local branch_to_old = arm.make_branch(old_irq_addr, false)`
			`arm.write_branch(fw, proxy_addr, branch_to_old)`
			`-- save`
			`hwp.save_file(fw, arg[2])`